Friday, April 22, 2005

Seisint: Update on Help for Victims and Security Procedures

What is Seisint doing to assist people whose identity may have been stolen as a result of recent security breaches? And what are they doing to prevent another massive security breach? Here is some updated information:

Helping Victims

LexisNexis, the company that owns Seisint, says it is in the process of notifying every individual whose whose personal information may have been accessed by identity thieves.

LexisNexis says it will provide all affected individuals with a consolidated report containing information from the three major credit bureaus, TransUnion, Equifax, and Experian.

LexisNexis says they will provide all affected individuals credit monitoring service for one year. This is a useful service, although some people think one year of monitoring is not enough.

LexisNexis says that, for anyone who is, or becomes a victim of Identity theft, the company will that person help from ID theft counselors, who can assist in them in the process of clearing their credit reports of any information related to fraudulent activity.

Security Procedures

LexisNexis says it is in the process of tightening its security procedures to prevent massive security breaches from happening again. (It should be noted the recent publicized breaches happened before LexisNexis purchased Seisint.)

LexisNexis claims it has a multi-layer process in place to screen potential customers, to ensure that only legitimate customers have access to individual personal information.

They say that they have a detailed authentication process to determine the validity of business licenses, memberships inprofessional societies and other credentials, and that they authenticate the documents to ensure they have not been tampered with or forged.

They also state that customers requesting access to sensitive information must go through a multi-step application and approval process, and that only customers with a permissible purpose under federal law are granted access to sensitive data such as driver’s license information and information and social security numbers.

LexisNexis points out that their customers are required to make express representations and warranties regarding access and use of sensitive information.

Clearly, these procedures are not enough, since it was through businesses with apparently legitimate access to Seisint information that the latest security breaches occurred. Often, it appears, employees of companies with access used the information for illegitimate reasons.

LexisNexis has announced that they plan to restrict access even more to the most sensitive personal information Seisint gathers, including Social Security Numbers and Driver’s License Numbers. They say they will do this by extending LexisNexis’ current more restrictive SSN truncation policy to Seisint. (Could they not have done this earlier?)

They are also planning a policy of “masking” driver’s license numbers.

They also say they are conducting an on-going review of all it’s security practices, authorization and verification procedures, and privacy policies across its businesses.

LexisNexis also says that they are reviewing their verification and security procedures, at both LexisNexis and Seisint.

This would include:

• Enhancing ID and password administration procedures. • Enhancing security requirements applied to their customers. • Working with law enforcement and outside consultants to establish new procedures and techniques to thwart criminal activity.